On 4/04/2018 3:35 AM, Jim Lohiser wrote:

NetWin,

A customer is reporting phishing messages that are slipping through the spam filters in SurgeMail.  I had them send the headers for an example message.  It appears that SurgeMail is incorrectly parsing the From header and that is allowing the message to slip through. A copy of the From header and the spam log for this message is included below.

From: "towens@" <somedomain.tld steven-girard@Bbox.fr>

2018-04-03 08:39:32.00 ALLOWED [150150307] ip(194.158.98.45) from(steven-girard@bbox.fr,towens@somedomain.tld) subject(inv # xz-9988187676) friend is known (friend_known.deliver_local wild (*@somedomain.tld) in users friend.lst)

It looks like the spammers are sending bad From headers in order to intentionally trick your spam filter. How can we prevent this from happening?

Yes remove the *@somedomani.tld from the exceptions if at all possible

We have had similar issues in the past with SurgeMail parsing using the "display" portion of From headers instead of only using the actual email address and this has caused other problems, including blocking emails from the Wall Street Journal. Can the From header parsing be made more strict so that it *ONLY* looks at the email address portion of the From header?

Can you give the headers of an example message and I'll run some tests. But fundamentally that isn't going to make a big difference I don't think. The problem is the wild card rule means the spammers random guess of a return address will usually work.

There are some other settings that may help, if I can see the full headers of a problem message then I may be able to offer something useful to cut these down.

Send headers etc to surgemail-support@netwinsite.com
    ChrsiP.